We use cookies to give you the best possible online experience. If you continue, we'll assume you are happy for your web browser to receive all cookies from our website. See our cookie policy for more information on cookies and how to manage them.

Knowledge store

An Introduction to Business Continuity Planning [Hardfacts]

Introduction

Although headline disasters capture the attention, businesses need to be aware that other more specific or mundane events are just as likely to threaten their organisation. For example, a recent Chartered Management Institute survey revealed that only 36% of organisations have a Business Continuity Plan that addresses disruption by extreme weather conditions as a concern yet 58% suffered disruption as a result of this during the previous year.

Disasters can and do happen and will cause healthy businesses to fail. Disasters create missed opportunities, cash flow problems and can often result in bad publicity. All this can lead to a loss of client confidence and your competitors will take advantage.

Planning makes a substantial difference to the possibility of surviving an incident. While it may seem an extra burden to prepare a plan, challenging situations place severe pressure on individuals to make decisions and take action under stressful conditions. Experience proves that it is easier to consider all the issues surrounding a potential crisis objectively beforehand.

Insurance has a vital role to play in supporting your recovery, but it makes sense to have a plan as well. This should give you the opportunity to reduce the risk of some incidents occurring and to know what immediate measures to take to minimise the initial impact.

A Business Continuity Plan doesn't need to be complicated and does not need to deal with every scenario. If your plan enables you to cope with the worst case scenario, it will also help you to deal more easily with less serious incidents.

Key Action Steps in Continuity Planning

Select your team

Analyse the threats and introduce practical reduction measures

Plan how to cope with the immediacy of the incident

Prepare supporting documents e.g. contact lists and action lists

Plan for the recovery of the business

Pay special attention to computer and data

Try the plan out and keep it up to date

Select your team

Developing a plan and implementing a plan are best done as team activities. Keep numbers low-two people may be enough for some small businesses. People to consider include accountants, IT and other staff with specialist knowledge. Consider a deputy for each of your team members.

Analyse the threats

The team should begin by listing all the activities of the business and then list the likely incidents that could affect these activities. This might include storm, flood, theft, fire, machinery breakdown, power failure, computer virus, telecommunications failure, strikes and problems with suppliers.

For each of the threats you have identified you should:

Decide how likely they are to happen

Cost the immediate effects of these threats on your business

Consider the long term effects on your business

The most serious threat should emerge from these considerations. Remember that if you plan for the worst case scenario, your plan should also be effective in dealing with less serious incidents.

Prevention and reduction measures

Now that you have analysed the threats to the business you can take this opportunity to reduce the risk they pose by implementing practical risk reduction measures. After all, prevention is better than cure. If financial budgets are limited then you may have to implement these over a period of time. Should this be the case then you should concentrate upon mitigating those threats that are more likely to occur and with a more significant impact upon the business. Your insurer may be able to offer assistance and recommend products that offer the best value.

Incident Management Planning

You now need to plan the immediate actions that the Team will have to implement. This will include how the business will deal with issues such as:

Maintain a "Disaster Recovery Log" to record details of their actions, losses identified and expenses incurred

Communicate with press, stakeholders, suppliers and important customers

Redirect telephone lines and post if necessary

Decide which member of the team will be responsible for which actions

Decide where the team will meet as your own premises may be damaged or you may be denied access to your premises, e.g. in the event of an incident at a neighbouring premises.

Supporting documentation

You should prepare contact lists with names, addresses, telephone numbers, email addresses and mobiles for the people the Team will need to contact, either to inform them of the situation or to ask for their help. This will include:

Staff

Material suppliers

Machinery, IT and office equipment suppliers

Customers

Bank contacts

Insurance contacts

Utility suppliers

Tradesmen who can assist

Asset register

Local Authorities and enforcement bodies

Additionally you should prepare action lists itemising the tasks and who is responsible for them, completion of which will ensure an acceptable response is delivered.

Business Recovery planning

If the worst case scenario results in a longer term interruption to your business you will need to consider alternative working practices that will allow you to continue trading with your customers during the sometimes lengthy period when the physical damage is reinstated. Measures to consider include:

Using temporary premises such as short term leased premises, serviced offices and temporary or mobile structures

Availability of replacement equipment, materials and stock

Have you considered alternative suppliers, hiring machinery and second-hand machinery

Have you considered subcontracting

Having telephone calls diverted to alternate locations, possibly run by a specialist contractor

Diversion of mail to pre-designated premises

A special note about computers and data

Most businesses, regardless of their size, are becoming increasingly reliant on computers and electronic data. A minor incident affecting your computer systems and data can manifest itself into a major interruption to your business if you have not properly prepared how to deal with it. You will need to consider protection against cyber-attack how to manage the aftermath as well as protection again the more visible physical threats.

Remember it is important to ensure that an up to date copy of all your data is kept offsite at all times.

You might want to consider temporary manual systems of working to allow the business to continue. If this is not possible you should consider using a specialist IT continuity provider. Depending on the company they can offer an end-to-end service from consultancy and planning to the provision of alternative IT equipment and premises.

Rehearsing and maintaining the plan

The plan does not belong on a shelf gathering dust. It is important that each member of the team has a copy of the plan, and that they keep a copy of the plan away from the business as you never know when disaster might strike.

The best thing to do is to exercise your plan to be sure that it will work if disaster strikes. You could simulate a disaster with a desktop exercise, or you could try out a simulated "mini-disaster". Change the plan accordingly from what you learn from these exercises.

It is important to keep the plan up to date. Make sure the supporting documentation is updated regularly and review the entire plan each time there a changes in organisational structure or there is a major change to the business. Make sure that all copies of the plan are up to date and destroy all out of date copies.

Next Steps

Source discounted products, available to Aviva insured customers and brokers, via our Specialist Partners - click here to find out more about the savings you could make

Please Note
This document contains general information and guidance and is not and should not be relied on as specific advice. The document may not cover every risk, exposure or hazard that may arise and Aviva recommend that you obtain specific advice relevant to the circumstances. AVIVA accepts no responsibility or liability towards any person who may rely upon this document.

Rate this entry

Was this helpful to you?

YesNo

Knowledge Store information is designed to give general information on key risk management topics. Readers should take specific advice when dealing with particular situations. Aviva Risk Management Solutions accepts no responsibility for action taken as a result of information contained in this document. The information contained herein is correct at the date of publication. For more information contact Aviva Risk Management Solutions, 8 Surrey Street, Norwich, NR1 3NG. Telephone: 0345 366 6666 e-mail: riskadvice@aviva.com